The following PLXsert advisory came out last week, but I'm just back from vacation and catching up on what I missed. This one is high-risk and worth mentioning here.
Public dumps of compromised data from several high-profile attacks have fueled an increase in automated and systematic attempts to reuse stolen credentials at multiple websites.
The requests show user agents are systematically randomized. One of the most targeted sectors is online financial services. Other industries targeted by these brute force attacks are online entertainment, high tech consulting and Software-as-aService(SaaS).
What the bad guys are doing:
- Attackers are harvesting ID and password combinations from public dumps of compromised data.
- Automated tools are used to systematically attempt to gain access to other sites using the available credentials.
- Online financial services is the most targeted industry for these types of attacks.
- Other frequent targets are online entertainment, high-tech consulting and Software-as-a-Service (SaaS) providers.
- The availability of numerous high-profile and large data dump leaks are contributing to the problem.
- The use of brute force login attempts tends to surge following compromises and disclosures of big data dumps.
To blunt these attacks, enterprises can follow the same best practices around passwords and access control that have been standard for years:
- Enforce password complexity requirements
- Enforce account lockout threshold limits
- Monitor suspicious traffic and activity following login attempts or successful logins
- Use tools such as CAPTCHA or RECAPTCHA
- Use multi-factor authentication
- Use randomized URLs for login to mitigate automated tools
- Lockout IP addresses that have made multiple login attempts, providing they are not proxies
- Use rate control rules